Before starting a user representation, the system checks whether the current representer is allowed to represent a particular user. In order to perform the necessary authorization, the system calls a plugin that implements the Java interface RepresentationAuthorization.
package com.airlock.iam.login.app.misc.representation.authorization;
import com.airlock.iam.core.misc.authen.Authentee;
/**
* Defines the authorization that is required when the user representation feature is used.
* The authorization defines whether a user has enough rights to represent another user of the system.
*/
public interface RepresentationAuthorization {
/**
* Checks whether a representer is authorized to take the identity of a representee.
* @param representer The authenticated user ({@link Authentee}) who wants to represent another user.
* @param representee The user name who is to be represented.
* @return True if the representer is authorized to represent the representee.
*/
public boolean isUserRepresentable (Authentee representer, String representee);
}- Currently, two different plugins that implement this interface are available in the product:
- Allow All Representation Authorization – this plugin doesn't do any authorization and always returns
true. - Role Based Representation Authorization – this plugin checks whether the representer has at least one of the required roles, which can be configured in this plugin.
Companies that use the representation feature can implement their own authorization scheme. For example, if a bank's policy requires that only a customer's personal service consultant can represent that particular customer, the bank could implement a RepresentationAuthorization plugin that calls a service in one of the bank's servers that checks whether the representee is assigned as personal service consultant to the selected customer.
If the representer is not authorized to represent the desired user, a representation denied page is shown explaining the reason.